CN110011781A - A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount - Google Patents

A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount Download PDF

Info

Publication number
CN110011781A
CN110011781A CN201910160273.5A CN201910160273A CN110011781A CN 110011781 A CN110011781 A CN 110011781A CN 201910160273 A CN201910160273 A CN 201910160273A CN 110011781 A CN110011781 A CN 110011781A
Authority
CN
China
Prior art keywords
ciphertext
zero
transaction
amount
transaction amount
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910160273.5A
Other languages
Chinese (zh)
Other versions
CN110011781B (en
Inventor
王志鹏
孟庆树
路松峰
贺东博
王同洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201910160273.5A priority Critical patent/CN110011781B/en
Publication of CN110011781A publication Critical patent/CN110011781A/en
Application granted granted Critical
Publication of CN110011781B publication Critical patent/CN110011781B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a kind of homomorphic cryptography methods for encrypting and supporting zero-knowledge proof for transaction amount, belong to field of information security technology.It include: that public key, private key and Zero Knowledge parameter are generated according to zero-knowledge proof requirement and Paillier algorithm;It according to given plaintext, is encrypted using Encryption Algorithm and public key, Zero Knowledge parameter, exports ciphertext (E, c1,c2);It according to given ciphertext, is decrypted using decipherment algorithm and private key, output is in plain text.Present invention improves over Paillier homomorphic algorithms, and ciphertext is divided into 3 parts (E, c1,c2), 3 parts can be used for the secure transactions amount of money on the whole, and the Zero Knowledge range that promise part E can also be used in transaction amount proves, so that Paillier algorithm is combined with the Zero Knowledge range proof promised to undertake based on FO, the range of ciphertext be supported to prove.The transaction amount encryption that can be not only used for account model is proved with range, it can also be used to which the transaction amount encryption of UTXO model is proved with range.

Description

A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount
Technical field
The invention belongs to field of information security technology, encrypt more particularly, to one kind for transaction amount and support zero The homomorphic cryptography method of knowledge proof.
Background technique
The essence of block chain technology is, by the distributed data base for a sustainable growth for participating in safeguarding jointly in many ways, by In its decentralization, collective's maintenance, it is open and clear, can not distort, the outstanding features such as quasi- anonymity receive significant attention.Work as proparea It is most representative with bit coin, ether mill and super account book (Hyperledger Fabric) in block chain technology platform.
Hyperledger Fabric be one open source band license alliance's chain, whole network by common recognition service with it is numerous Channel is constituted, and all channel share a set of common recognition service, and common recognition service is referred to as order.Each channel maintenance is certainly Oneself account book, account book are shared between the member peer of channel.Because various functions module is pluggable, such as common recognition service, Encryption Algorithm etc. can plug, and Fabric is general alliance's chain frame, come true at present on alliance's chain standard, Such as Jingdone district, Ali, the block chain service platform of Huawei.But because the open and clear or a certain range of of account book discloses The transaction amount of bright and quasi- anonymity, plaintext causes the leakage of privacy of user.Occur a variety of hiding transaction amount thus Project, such as zerocash, monero, RingCT project.
Additive homomorphism algorithm also has very much, and Paillier homomorphic encryption algorithm comprehensive performance is best, however it does not support it is close The range of text proves.
Summary of the invention
In view of the drawbacks of the prior art, it is an object of the invention to solve prior art Paillier homomorphic encryption algorithm not The technical issues of supporting the range of ciphertext proves.
To achieve the above object, in a first aspect, the embodiment of the invention provides a kind of homomorphisms for supporting zero-knowledge proof to add Decryption method, method includes the following steps:
S1. it is required and Paillier algorithm, generation public key, private key and Zero Knowledge parameter according to zero-knowledge proof;
S2. it according to given plaintext, is encrypted using Encryption Algorithm and public key, Zero Knowledge parameter, output ciphertext (E, c1, c2);
S3. it according to given ciphertext, is decrypted using decipherment algorithm and private key, output is in plain text.
Specifically, step S1 specifically includes the following steps:
S101. g is generated in a manner of generating g in Paillier algorithm1
S102. random number r < n is selected2, calculate g2=g1 rmod n2, and to meet gcd (L (g2 λmod n2), n)==1, L (u)=(u-1)/n, λ=lcm (p-1, q-1);
S103. random number x < n is selected, h=g is calculated2 xmod n2
Wherein, n=pq, p and q are to randomly select two Big primes, and lcm () is the least common multiple of two parameters, gcd () is the greatest common divisor of two parameters;
At this point, the public key PaillierPub generated is (g1, g2, h, n), private key PaillierPrv is (λ, x), Zero Knowledge Parameter zkpPrm is (g1, h, n2)。
Specifically, plaintext ciphering process Encrypt (m, PaillierPub, zkpPrm, r0, r1) specifically: in plain text M, m ∈ Zn, select random number r0< n2, r1< n, ciphering process are as follows: c2 =r1 nmod n2, gained ciphertext is (E, c1, c2)。
Specifically, ciphertext decrypting process Decrypt ((E, c1, c2), PaillierPrv) specifically: for ciphertext (E, c1, c2), decrypting process is
Specifically, ciphertext random nnrber decryption specifically:
For c1, c2, ciphertext random numberPlaintext random number
Second aspect, the embodiment of the invention provides a kind of block chain transaction amount encryption methods, which is characterized in that transaction Amount of money encryption uses the homomorphic cryptography method of support zero-knowledge proof described in first aspect.
Specifically, the transaction amount that the homomorphic cryptography method can be not only used for account model is encrypted and is proved with range, can also Transaction amount for UTXO model is encrypted and is proved with range.
Specifically, Alice transfers accounts to Bob, transaction amount T, initiates the flow chart of data processing of the Alice application end of transaction It is as follows:
Step S1. obtains the parameter of parameter PaillierPubA, PaillierPrvA, zkpPrmA and Bob of Alice PaillierPubB,zkpPrmB;
Step S2. is defeated with the homomorphic cryptography method decryption of support zero-knowledge proof according to PaillierPrvA and zkpPrmA The UTXO amount of money (inputl, input2) entered verifies the UTXO amount of money, and calculates small change B:
After the step S3. good authentication UTXO amount of money, respectively according to PaillierPubA and zkpPrmA, PaillierPubB And zkpPrmB, with support zero-knowledge proof homomorphic cryptography method encrypt transaction amount T, obtain ciphertext transaction amount c_ta and c_tb;
Step S4. generates evidence ElproofT, to prove in the two promises of c_ta.E and c_tb.E comprising same number According to T;
Step S5. is according to PaillierPubA and zkpPrmA, with the homomorphic cryptography method of support zero-knowledge proof to small change It is encrypted, returns to Alice;
Total input amount of money c_inputsum that step S6. calculates ciphertext utxo input1, the sum of input2 is traded, Total output amount of money c_outputsum of transaction is calculated using c_tb and c_ba;
Step S7. generates the transaction input evidence ElproofB equal with the transaction output amount of money;
Step S8. generates evidence ZkpRangeProofT for proving that T is greater than 0, generates evidence ZkpRangeProofB and uses It is greater than 0 in proof B.
Specifically, step S2 specifically:
Decrypt (inputl, PaillierPrvA, zkpPrmA) decryption obtain plaintext inputlBalance, in plain text with Machine number r0inputl;
Decrypt (input2, PaillierPrvA, zkpPrmA) decryption obtain plaintext input2Balance, in plain text with Machine number r0input2;
Verifying input the amount of money whether be more than or equal to output amount of money T:check (inputlBalance+input2Balance >= T), if so, calculating remaining sum B=inputlBalance+input2Balance-T, S3 is entered step;Otherwise, Fail Transaction, Terminate.
The third aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage mediums Computer program is stored in matter, which realizes that support zero described in above-mentioned first aspect is known when being executed by processor Know the homomorphic cryptography method proved.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, have below beneficial to effect Fruit:
Present invention improves over Paillier homomorphic algorithms, and ciphertext is divided into 3 parts (E, c1, c2), 3 parts are whole On can be used for the secure transactions amount of money, promise to undertake that part E can also be used in the Zero Knowledge range of transaction amount and prove, so that Paillier Algorithm is combined with the Zero Knowledge range proof promised to undertake based on FO, and the range of ciphertext is supported to prove.
Detailed description of the invention
Fig. 1 is the flow chart of data processing schematic diagram of Alice application end provided in an embodiment of the present invention;
Fig. 2 is intelligent contract processing flow schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Paillier homomorphic encryption algorithm is a kind of additive homomorphism algorithm.
1. key generates
(1) two Big primes p and q are randomly selected.
(2) it calculates n=pq and λ=lcm (p-1, q-1), lcm () is the least common multiple of two parameters.
(3) random number g is chosen,And meet μ=(L (gλmod n2))-1Mod n exists, whereinFor not Greater than n2Natural number constitute multiplicative group, L (u)=(u-1)/n.
At this point, public key is (n, g), private key is (λ, μ).
2. ciphering process
For plaintext m, m ∈ Zn, select random number r < n, ciphering process c=gmrnmod n2
3. decrypting process
For ciphertext c, decrypting process is
Fujisaki-Okamoto promises to undertake (Fujisaki-Okamoto Commitment)
If Alice and Bob do not know the decomposition of n, g ∈ Zn *, the rank of h ∈ (g), g, h is greater than the prime number of 160bit, this makes It is infeasible for generating calculating discrete logarithm in cyclic group at them.Alice does not know loggH and loghG randomly selects r ∈R{- 2sN+1,2sN-1 }, calculate E (x, r)=gxhrMod n sends E (x, r) to Bob as the promise to x.Alice is not knowing n Decomposition and loggIn the case where h, it is impossible to find x1≠x2Meet E (x1, r1)=E (x2, r2);Bob be also impossible to from E (x, R) any information about x is obtained in, which is statistics safety, which is referred to as that Fujisaki-Okamoto is held Promise, abbreviation FO are promised to undertake.
Zero-knowledge proof
Zero-knowledge proof refers to that certifier can make verifier in the case where not providing any useful information to verifier It is believed that some judgement is correctly, to be divided into interactive and two class of nonreciprocal.Zero-knowledge proof can be used for solving block chain secret protection, The problems such as transaction legitimate verification.
In order to combine Paillier algorithm with the Zero Knowledge range proof promised to undertake based on FO, the present invention is to Paillier Algorithm is improved.
1. key generates
g1Generating mode it is identical as the generating mode of g in original Paillier algorithm.
g2Generating mode: selection random number r < n2, calculate g2=g1 rmod n2, and to meet gcd (L (g2 λmod n2), N)==1, L (u)=(u-1)/n, λ=lcm (p-1, q-1).
The generating mode of h: selection random number x < n calculates h=g2 xmod n2
At this point, homomorphic algorithm public key PaillierPub is (g1, g2, h, n), private key PaillierPrv is (λ, x), and zero knows Knowledge parameter zkpPrm is (g1, h, n2)。
2. plaintext ciphering process Encrypt (m, PaillierPub, zkpPrm, r0, r1)
For plaintext m, m ∈ Zn, select random number r0< n2, r1< n, ciphering process are as follows:c2=r1 nmod n2, gained ciphertext is (E, c1, c2)。
3. ciphertext decrypting process Decrypt ((E, c1, c2), PaillierPrv)
For ciphertext (E, c1, c2), decrypting process is
4. ciphertext random nnrber decryption process
For c1, c2, ciphertext random numberPlaintext random number
5. additive homomorphism attribute
Equipped with plaintext ma, mb, they are encrypted and obtains ciphertext Encrpt (m respectivelya)=(Ea, c1a, c2a)、Encrpt(mb) =(Eb, c1b, c2b)。
Define Encrpt (ma)Encrpt(mb)=(E, c1, c2), wherein E=EaEbmod n2, c1=c1ac1bmod n2, c2 =c2ac2bmod n2
Decrypting process is as follows:
, It obtains
Wherein, r0a, r0bIt is to calculate E respectivelya, EbWhen the random number used, r1a, r1bIt is to calculate c respectively2a, c2bWhen use Random number.
A kind of improvement Paillier homomorphic encryption algorithm proposed by the present invention, can be used not only for adding transaction amount It is close, and support the ciphertext range check with zero-knowledge proof.The present invention can be used not only for the transaction amount of account model Encryption proves that can be used for UTXO model, (Unspent Transaction Output, the transaction not spent are defeated with range Transaction amount encryption out) is proved with range.
UTXO model
Every transaction has several transaction to input, that is, funds source, also has several transactions to export, that is, provide Golden whereabouts.In general, each transaction will spend (spend) input, generate an output, and defeated caused by it Out, exactly " the transaction output not spent ", that is, UTXO.UTXO (Unspent Transaction Outputs) is not The transaction of cost exports, it is the key concept that the transaction of bit coin is generated and verified.Transaction constitutes one group of chain structure, The output that all legal bit coin transaction are traded before can tracing back to one or more, the source of these chains is all to dig Mine reward, end are then the transaction output not spent currently.
Encryption process has been described in detail in the present invention by taking UTXO model as an example, and Zero Knowledge of the encryption amount of money greater than 0 is demonstrate,proved Bright process.Ciphertext (E, c of the invention1, c2) be made of three parts, entirety is for decrypting, wherein E is demonstrate,proved for various Zero Knowledges It is bright, depending on different scenes, it can be used for the equal proof of transaction amount, the output equality of the input and transaction of transaction proves, Small change and transaction amount are greater than 0 proof.
These FO are promised to undertake and Zero Knowledge range identification protocol is existing as a result, the present invention is not unfolded to describe, and only description is used Function function.
Function ElproofGenerator can be used for proving under cover same in two promises for generating Elproof The evidence of data.
Function ZKPRangeProofGenerator can be used for proving FO for generating range evidence ZkpRangeProof The data hidden in promise are located at the evidence in the section [a, b].
Function ElproofValidator is used to utilize Elproof, it was demonstrated that conceals same number really in two promises According to.
Function ZKPRangeProofValidator is used for utilization scope evidence ZkpRangeProof, it was demonstrated that during FO is promised to undertake The data hidden are located at really in the section [a, b].
One is typically described as follows: Alice transfers accounts to Bob, and transaction amount is T (tokens), the ciphertext utxo of input For input1, input2, small change B.We illustrate by taking above-mentioned transaction as an example the chaincode in client and chain how work Make.
As shown in Figure 1, the flow chart of data processing of Alice application end is as follows:
Step S1. obtains the parameter of parameter PaillierPubA, PaillierPrvA, zkpPrmA and Bob of Alice PaillierPubB、zkpPrmB。
Step S2. is according to PaillierPrvA and zkpPrmA, with the UTXO gold of improved Paillier algorithm decryption input Volume (inputl, input2) verifies the UTXO amount of money, and calculates small change.
Decrypt (inputl, PaillierPrvA, zkpPrmA) decryption obtain plaintext input1Balance, in plain text with Machine number r0input1.
Decrypt (input2, PaillierPrvA, zkpPrmA) decryption obtain plaintext input2Balance, in plain text with Machine number r0input2.
Whether the verifying input amount of money is more than or equal to output amount of money T:check (input1 Balance+input2Balance >=T), if so, calculating remaining sum B=input1Balance+input2Balance-T, enter step S3;Otherwise, transaction is lost It loses, terminates.
For step S3. respectively according to PaillierPubA and zkpPrmA, PaillierPubB and zkpPrmB, use is improved Paillier algorithm for encryption transaction amount T obtains ciphertext transaction amount c_ta and c_tb.
Select random number r0_ta < PaillierpubA.n2, select random number r1_ta < PaillierpubA.n.Using Encrypt (T, PaillierPubA, zkpPrmA, r0_ta, r1_ta) generates ciphertext transaction amount c_ta for Alice.
Select random number r0_tb < PaillierpubB.n2, select random number r1_tb < PaillierpubB.n.Using Encrypt (T, PaillierPubB, zkpPrmB, r0_tb, r1tb) generates ciphertext transaction amount c_tb for Bob.
Step S4. generates evidence ElproofT, to prove in the two promises of c_ta.E and c_tb.E comprising same number According to T.
ElproofGenerator (T, r0_ta, r0_tb, PaillierPubA, PaillierPubB, zkpPrmB, ZkpPrmA, c_ta.E, c_tb.E) generate evidence Elproof (c_ta, c_tb)=ElproofT.
Step S5. encrypts small change with improved Paillier algorithm according to PaillierPubA and zkpPrmA, Return to Alice.
Select random number r0_ba < PaillierpubA.n2, r1_ba < PaillierpubA.n.Using Encrypt (B, PaillierPubA, zkpPrmA, r0_ba, r1_ba) generate ciphertext small change c_ba.
Total input amount of money c_inputsum that step S6. calculates ciphertext utxo input1, the sum of input2 is traded, Total output amount of money c_outputsum of transaction is calculated using c_tb and c_ba.
Step S7. generates the transaction input evidence ElproofB equal with the transaction output amount of money.
R0_input=r0input1+r0input2.
R0_output=r0_ba+r0_ta.
Sum=input1 Balance+input2Balance.
Generate evidence ElproofGenerator (sum, r0_input, r0_output, PaillierPubA, Paillier PubA, zkpPrmA, zkpPrmA, c_inputsum.E, c_outputsum.E)=ElproofB.
Step S8. generates evidence, to prove that T and B are both greater than 0.
ZKPRangeProofGenerator (T, r0_ta, c_ta.E, PaillierPubA, zkpPrmA, range [0, B]) evidence ZkpRangeProofT is generated for proving that T is greater than 0.
ZKPRangeProofGenerator (B, r0_ba, c_ba.E, PaillierPubA, zkpPrmA, range [0, B]) evidence ZkpRangeProofB is generated for proving that B is greater than 0.
Related data group is put on block chain chain, is specifically included: ciphertext c_ta, the c_tb of transaction amount to hand at transaction Ciphertext remaining sum c_ba, ElproofT, ElproofB, ZkpRangeProofT, ZkpRangeProofB after easily, for for block Chain link point is verified.
Ciphertext (E, c of the invention1, c2) be made of three parts, entirety is for decrypting, wherein E is used for various Zero Knowledges It proves, depending on different scenes, can be used for the equal proof of transaction amount, the input of transaction is demonstrate,proved with the output equality of transaction It is bright, the proof of small change and transaction amount greater than 0.
As shown in Fig. 2, the intelligent contract at intelligence chain code end is used to verify the legitimacy of transaction, intelligent contract process flow is such as Under:
Step S1. obtain Alice parameter PaillierPubA, zkpPrmA, obtain Bob parameter PaillierPubB, ZkpPrmB, in the transaction sent from client obtain ElproofT, ElproofB, ZkpRangeProofT, ZkpRangeProofB、input1、input2、c_ta、c_tb、c_ba。
Step S2. verifying promises to undertake that c_ta.E and c_tb.E conceal same number T.
ElproofValidator (c_ta.E, c_tD.E, PaillierPubA, PaillierPubB, zkpPrmA, ZkpPrmB, ElproofT).
The step S3. verifying transaction input amount of money is equal with the transaction output amount of money.
E_output=c_ta.E*c_ba.E mod PaillierPubA.n2
E_input=Inputl.E*Input2.E mod PaillierPubA.n2
ElproofValidator (E_output, E_input, PaillierPubA, PaillierPubA, zkpPrmA, ZkpPrmA, ElproofB).
Step S4. verifying promises to undertake that the data value that c_ta.E and c_ba.E hide is greater than 0. ZKPRangeProofValidator (ZkpRangeProofT, c_ta.E, PaillierPubA, zkpPrmA). ZKPRangeProofValidator (ZkpRangeProofB, c_ba.E, PaillierPubA, zkpPrmA).
It verifies each time, the Fail Transaction if authentication failed;Otherwise, continue subsequent step.If above-mentioned all verifyings Pass through, then illustrates that chain code end (at block chain node) verifying transaction is legal.
More than, the only preferable specific embodiment of the application, but the protection scope of the application is not limited thereto, and it is any Within the technical scope of the present application, any changes or substitutions that can be easily thought of by those familiar with the art, all answers Cover within the scope of protection of this application.Therefore, the protection scope of the application should be subject to the protection scope in claims.

Claims (10)

1. a kind of homomorphic cryptography method for supporting zero-knowledge proof, which is characterized in that method includes the following steps:
S1. it is required and Paillier algorithm, generation public key, private key and Zero Knowledge parameter according to zero-knowledge proof;
S2. it according to given plaintext, is encrypted using Encryption Algorithm and public key, Zero Knowledge parameter, exports ciphertext (E, c1,c2);
S3. it according to given ciphertext, is decrypted using decipherment algorithm and private key, output is in plain text.
2. homomorphic cryptography method as described in claim 1, which is characterized in that step S1 specifically includes the following steps:
S101. g is generated in a manner of generating g in Paillier algorithm1
S102. random number r < n is selected2, calculate g2=g1 rmodn2, and to meet gcd (L (g2 λmodn2), n)==1, L (u)= (u-1)/n, λ=lcm (p-1, q-1);
S103. random number x < n is selected, h=g is calculated2 xmodn2
Wherein, n=pq, p and q are to randomly select two Big primes, and lcm () is the least common multiple of two parameters, gcd () For the greatest common divisor of two parameters;
At this point, the public key PaillierPub generated is (g1,g2, h, n), private key PaillierPrv is (λ, x), Zero Knowledge parameter ZkpPrm is (g1,h,n2)。
3. homomorphic cryptography method as claimed in claim 2, which is characterized in that plaintext ciphering process Encrypt (m, PaillierPub,zkpPrm,r0,r1) specifically: for plaintext m, m ∈ Zn, select random number r0< n2,r1< n, ciphering process Are as follows:c2=r1 nmodn2, gained ciphertext is (E, c1,c2)。
4. homomorphic cryptography method as claimed in claim 2, which is characterized in that ciphertext decrypting process Decrypt ((E, c1,c2), PaillierPrv) specifically: for ciphertext (E, c1,c2), decrypting process is
5. homomorphic cryptography method as claimed in claim 2, which is characterized in that ciphertext random nnrber decryption specifically:
For c1,c2, ciphertext random numberPlaintext random number
6. a kind of block chain transaction amount encryption method, which is characterized in that transaction amount encryption uses any one of claim 1-5 The homomorphic cryptography method of the support zero-knowledge proof.
7. block chain transaction amount encryption method as claimed in claim 6, which is characterized in that the homomorphic cryptography method both may be used Transaction amount for account model is encrypted and is proved with range, it can also be used to which transaction amount encryption and the range of UTXO model are demonstrate,proved It is bright.
8. block chain transaction amount encryption method as claimed in claim 6, which is characterized in that Alice transfers accounts to Bob, transaction The amount of money is T, and the flow chart of data processing for initiating the Alice application end of transaction is as follows:
Step S1. obtains the parameter of parameter PaillierPubA, PaillierPrvA, zkpPrmA and Bob of Alice PaillierPubB,zkpPrmB;
Step S2. is according to PaillierPrvA and zkpPrmA, with the homomorphic cryptography method decryption input for supporting zero-knowledge proof The UTXO amount of money (input1, input2) verifies the UTXO amount of money, and calculates small change B;
After the step S3. good authentication UTXO amount of money, respectively according to PaillierPubA and zkpPrmA, PaillierPubB and ZkpPrmB obtains ciphertext transaction amount c_ta and c_ with supporting the homomorphic cryptography method of zero-knowledge proof to encrypt transaction amount T tb;
Step S4. generates evidence ElproofT, to prove in the two promises of c_ta.E and c_tb.E comprising the same data T;
Step S5. carries out small change with the homomorphic cryptography method of support zero-knowledge proof according to PaillierPubA and zkpPrmA Encryption, returns to Alice;
Total input amount of money c_inputsum that step S6. calculates ciphertext utxo input1, the sum of input2 is traded is utilized C_tb and c_ba calculates total output amount of money c_outputsum of transaction;
Step S7. generates the transaction input evidence ElproofB equal with the transaction output amount of money;
Step S8. generates evidence ZkpRangeProofT for proving that T is greater than 0, generates evidence ZkpRangeProofB for demonstrate,proving Bright B is greater than 0.
9. block chain transaction amount encryption method as claimed in claim 8, which is characterized in that step S2 specifically:
Decrypt (input1, PaillierPrvA, zkpPrmA) decryption obtains plaintext input1Balance, plaintext random number r0input1;
Decrypt (input2, PaillierPrvA, zkpPrmA) decryption obtains plaintext input2Balance, plaintext random number r0input2;
Whether the verifying input amount of money is more than or equal to output amount of money T:check (input1Balance+input2Balance >=T), If so, calculating remaining sum B=input1Balance+input2Balance-T, S3 is entered step;Otherwise, Fail Transaction, knot Beam.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program realizes such as support zero-knowledge proof described in any one of claim 1 to 5 when the computer program is executed by processor Homomorphic cryptography method.
CN201910160273.5A 2019-03-04 2019-03-04 Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof Expired - Fee Related CN110011781B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910160273.5A CN110011781B (en) 2019-03-04 2019-03-04 Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910160273.5A CN110011781B (en) 2019-03-04 2019-03-04 Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof

Publications (2)

Publication Number Publication Date
CN110011781A true CN110011781A (en) 2019-07-12
CN110011781B CN110011781B (en) 2020-05-19

Family

ID=67166369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910160273.5A Expired - Fee Related CN110011781B (en) 2019-03-04 2019-03-04 Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof

Country Status (1)

Country Link
CN (1) CN110011781B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855631A (en) * 2019-10-24 2020-02-28 南京可信区块链与算法经济研究院有限公司 Monitorable zero knowledge verification method and system in block chain and storage medium
CN111429138A (en) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 Block link point data safety interaction method and first interaction node
CN111552736A (en) * 2020-03-30 2020-08-18 深圳壹账通智能科技有限公司 Method, device and storage medium for comparing peer-to-peer relationship of encrypted data
WO2021031460A1 (en) * 2019-08-20 2021-02-25 深圳市网心科技有限公司 Block chain transaction settlement method and system, and related device
CN112418857A (en) * 2020-11-30 2021-02-26 北京八分量信息科技有限公司 UTXO model-based hidden transaction method and device and related product
WO2021081866A1 (en) * 2019-10-31 2021-05-06 深圳市网心科技有限公司 Transaction method, device, and system based on account model, and storage medium
CN112765667A (en) * 2021-01-29 2021-05-07 北京市计算中心 Privacy protection method, device and system based on block chain
CN112765668A (en) * 2021-01-31 2021-05-07 西安电子科技大学 Zero-knowledge proof privacy protection method, system, storage medium and equipment
CN112785306A (en) * 2021-01-28 2021-05-11 武汉天喻聚联科技有限公司 Identical encryption method based on Paillier and application system
CN112989390A (en) * 2021-04-15 2021-06-18 深圳前海移联科技有限公司 Block chain homogeneous data sharing method based on pluggable homomorphic encryption
WO2021120861A1 (en) * 2019-12-17 2021-06-24 支付宝(杭州)信息技术有限公司 Method and apparatus for multi-party joint model data processing
CN113159762A (en) * 2021-01-28 2021-07-23 武汉天喻信息产业股份有限公司 Block chain transaction method based on Paillier and game theory
CN113222758A (en) * 2021-05-08 2021-08-06 华中科技大学 Alliance chain transaction information monitoring method, system and terminal on the premise of privacy
CN115203749A (en) * 2022-09-16 2022-10-18 天聚地合(苏州)科技股份有限公司 Data transaction method and system based on block chain

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020103999A1 (en) * 2000-11-03 2002-08-01 International Business Machines Corporation Non-transferable anonymous credential system with optional anonymity revocation
US20150295710A1 (en) * 2014-04-11 2015-10-15 Thomson Licensing Paillier-based blind decryption methods and devices
CN105491006A (en) * 2015-11-13 2016-04-13 河南师范大学 Device and method for sharing cloud outsourcing key
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system
WO2018147800A1 (en) * 2017-02-09 2018-08-16 Huawei International Pte. Ltd. System and method for computing private keys for self certified identity based signature schemes
CN108418689A (en) * 2017-11-30 2018-08-17 矩阵元技术(深圳)有限公司 A kind of the zero-knowledge proof method and medium of suitable block chain secret protection
CN108667626A (en) * 2018-07-20 2018-10-16 陕西师范大学 The two sides cooperation SM2 endorsement methods of safety
US10200347B2 (en) * 2014-07-22 2019-02-05 Nanthealth, Inc. Homomorphic encryption in a healthcare network environment, system and methods

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020103999A1 (en) * 2000-11-03 2002-08-01 International Business Machines Corporation Non-transferable anonymous credential system with optional anonymity revocation
US20150295710A1 (en) * 2014-04-11 2015-10-15 Thomson Licensing Paillier-based blind decryption methods and devices
US10200347B2 (en) * 2014-07-22 2019-02-05 Nanthealth, Inc. Homomorphic encryption in a healthcare network environment, system and methods
CN105491006A (en) * 2015-11-13 2016-04-13 河南师范大学 Device and method for sharing cloud outsourcing key
WO2018147800A1 (en) * 2017-02-09 2018-08-16 Huawei International Pte. Ltd. System and method for computing private keys for self certified identity based signature schemes
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system
CN108418689A (en) * 2017-11-30 2018-08-17 矩阵元技术(深圳)有限公司 A kind of the zero-knowledge proof method and medium of suitable block chain secret protection
CN108667626A (en) * 2018-07-20 2018-10-16 陕西师范大学 The two sides cooperation SM2 endorsement methods of safety

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021031460A1 (en) * 2019-08-20 2021-02-25 深圳市网心科技有限公司 Block chain transaction settlement method and system, and related device
CN110855631B (en) * 2019-10-24 2022-05-17 南京可信区块链与算法经济研究院有限公司 Method, system and storage medium for verifying supervision-capable zero knowledge in block chain
CN110855631A (en) * 2019-10-24 2020-02-28 南京可信区块链与算法经济研究院有限公司 Monitorable zero knowledge verification method and system in block chain and storage medium
WO2021081866A1 (en) * 2019-10-31 2021-05-06 深圳市网心科技有限公司 Transaction method, device, and system based on account model, and storage medium
WO2021120861A1 (en) * 2019-12-17 2021-06-24 支付宝(杭州)信息技术有限公司 Method and apparatus for multi-party joint model data processing
CN111429138A (en) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 Block link point data safety interaction method and first interaction node
CN111552736A (en) * 2020-03-30 2020-08-18 深圳壹账通智能科技有限公司 Method, device and storage medium for comparing peer-to-peer relationship of encrypted data
CN112418857B (en) * 2020-11-30 2023-06-30 北京八分量信息科技有限公司 Hidden transaction method and device based on UTXO model and related products
CN112418857A (en) * 2020-11-30 2021-02-26 北京八分量信息科技有限公司 UTXO model-based hidden transaction method and device and related product
CN112785306A (en) * 2021-01-28 2021-05-11 武汉天喻聚联科技有限公司 Identical encryption method based on Paillier and application system
CN113159762A (en) * 2021-01-28 2021-07-23 武汉天喻信息产业股份有限公司 Block chain transaction method based on Paillier and game theory
CN112785306B (en) * 2021-01-28 2023-08-15 武汉天喻聚联科技有限公司 Homomorphic encryption method and application system based on Paillier
CN113159762B (en) * 2021-01-28 2024-04-09 武汉天喻信息产业股份有限公司 Blockchain transaction method based on Paillier and game theory
CN112765667B (en) * 2021-01-29 2022-04-26 北京市计算中心有限公司 Privacy protection method, device and system based on block chain
CN112765667A (en) * 2021-01-29 2021-05-07 北京市计算中心 Privacy protection method, device and system based on block chain
CN112765668A (en) * 2021-01-31 2021-05-07 西安电子科技大学 Zero-knowledge proof privacy protection method, system, storage medium and equipment
CN112765668B (en) * 2021-01-31 2023-01-03 西安电子科技大学 Zero-knowledge proof privacy protection method, system, storage medium and equipment
CN112989390A (en) * 2021-04-15 2021-06-18 深圳前海移联科技有限公司 Block chain homogeneous data sharing method based on pluggable homomorphic encryption
CN113222758A (en) * 2021-05-08 2021-08-06 华中科技大学 Alliance chain transaction information monitoring method, system and terminal on the premise of privacy
CN115203749A (en) * 2022-09-16 2022-10-18 天聚地合(苏州)科技股份有限公司 Data transaction method and system based on block chain

Also Published As

Publication number Publication date
CN110011781B (en) 2020-05-19

Similar Documents

Publication Publication Date Title
CN110011781A (en) A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount
Sonnino et al. Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
CN110414981A (en) A kind of homomorphic cryptography method that supporting ZKPs and block chain transaction amount encryption method
Di Raimondo et al. Deniable authentication and key exchange
EP0786178B1 (en) Secret-key certificates
US10846372B1 (en) Systems and methods for trustless proof of possession and transmission of secured data
Xu et al. K-anonymous secret handshakes with reusable credentials
Au et al. Constant-size dynamic k-times anonymous authentication
US20120278609A1 (en) Joint encryption of data
Harn et al. Verifiable secret sharing based on the Chinese remainder theorem
CN1937496A (en) Extensible false name certificate system and method
Rass et al. Cryptography for security and privacy in cloud computing
Döttling et al. McFly: verifiable encryption to the future made practical
CN112785306A (en) Identical encryption method based on Paillier and application system
Kiayias et al. Concurrent blind signatures without random oracles
De La Piedra et al. Towards a full-featured implementation of attribute based credentials on smart cards
CN115883102B (en) Cross-domain identity authentication method and system based on identity credibility and electronic equipment
Li et al. A forward-secure certificate-based signature scheme
CN109495478A (en) A kind of distributed security communication means and system based on block chain
Zhang et al. Privacy‐friendly weighted‐reputation aggregation protocols against malicious adversaries in cloud services
Hajny et al. Anonymous credentials with practical revocation
Chang et al. A highly efficient and secure electronic cash system based on secure sharing in cloud environment
Zhang et al. Accountable monero system with privacy protection
Longo Formal Proofs of Security for Privacy-Preserving Blockchains and other Cryptographic Protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200519

CF01 Termination of patent right due to non-payment of annual fee